*******************************************************************************
** **
** United Phreaker's Incorporated **
** **
** presents.... **
** **
** UPi Newsletter Volume #1, Issue #2 **
** **
** The Virus/Trojan Horse Guide **
** **
** By: Scarlet Spirit (Vice-Prez of UPi) **
** **
*******************************************************************************
In this article I will present thoughts, ideas and facts about trojans
and virii. Most of them are very destructive and pack quite a punch to your
computer (something you don't want to come by in otherwards).
First, let us discuss virii since they are quite common and more
straight forward than trojans to discuss.
There are 10 different types of virii which can effect your system:
1) Virus Infects Fixed Disk Partition Table
2) Virus Infects Fixed Disk Boot Sector
3) Virus Infects Floppy Diskette Boot
4) Virus Infects Overlay Files
5) Virus Infects EXE Files
6) Virus Infects COM Files
7) Virus Infects COMMAND.COM
8) Virus Installs Itself in Memory
9) Virus Uses Self-Encryption
10) Virus Uses STEALTH Techniques
There can be any combination of these pretty well. Some of the very
packed virii are the Whale which have from 4 through 10 and Fish which has
about the same.
Now I will explain each of the above virii types in detail.
1) Virus Infects Fixed Disk Partition Table: What happens with this virus
is quite interesting. What it will do is either screw up your partition
table (organises the computer's HD) totally by rewriting it or erasing
it altogether. Some examples are: Azusa, Bloody! and Joshi virii.
2) Virus Infects Fixed Disk Boot Sector: This type of virus will erase or
mess up your boot sector beyond repair. There is quite an easy
way of protecting yourself from such a virus. All you need to do is get
a small util which will back your boot sector up on disk and allow you
to restore it in case trouble strikes. This is better than counting on
your virus scanner to catch it just in case it misses it. Then you know
you have a backup of it if need arrives. Some examples are: 1253, Korea
and Invader virii.
3) Virus Infects Floppy Diskette Boot: This type of virus is similar to the
one which infects Fixed Disk Boot Sector. The only difference is it's
infecting the diskette boot sector and not the fixed disk's.
Some examples are: Curse Boot, AirCop and Chaos virii.
4) Virus Infects Overlay Files: A virus of this kind will either alter your
overlay files by changing them usually to a given amount of bytes or
erasing them totally. I don't know which is worse but they're both quite
bad. Some examples are: 4096, Virus 101 and Jerusalm 24 virii.
5) Virus Infects COM Files: This type of virus is similar to the one which
infects Overlay files but it infects COM files. It will alter then or
erase them just like it would do to the overlays. Sometimes you'll find
this type of virus with the one which effects Overlay files to really fuck
you up. Some examples are: Mix2, Terror and Brain Slayer virii.
6) Virus Infects EXE Files: Exactly the same as COM files but for EXE's.
Some examples are: Striker, Cancer and V-299 virii.
7) Virus Infects COMMAND.COM: This type of virus will alter your COMMAND.COM
and really mess your hard drive up. Without COMMAND.COM your HD will not
boot by itself. So to cure yourself you'd have to try and boot off disk
and restore your HD from there. The odd chance your COMMAND.COM will be
corrupt when you try and restore and you'll be forced to reformat.
Some examples are: Ontario, Wolfman and Flip virii.
8) Virus Installs Itself in Memory: These types of virii are really a bitch.
They'll store themselves in memory and will either sit their until a
certain time then execute and still remain their or execute right away
begin damaging and every time you try and fix the problem it causes it will
execute and start damaging again. Some examples are: Dark Avenger, Ping
Pong-B and Stoned virii.
9) Virus Uses Self-Encryption: These virii as soon as they are run will
encrypt themselves. This will allow you no access to the file without
a password of some kind. This is done so you don't delete the file that
the virus is originating from or alter it in any way. Some examples are:
1260, XA1 and Kennedy virii.
10) Virus Uses STEALTH Techniques:
That about wraps it up for the different types of virii. Now
let's find out where virii are made, how they're packaged and how you
can protect yourself from such danger.
Most virii are made by programmers as you might guess in many different
parts of the world. Some of the best come from Jerusalm, Israel and many other
exotic places. They are usually made by people who are experimenting with
different types of programming and want a change from making their normal,
boring programs. Some are developed in Universities where the programmers
hate their computer teacher and want to wipe the main HD out. One of the most
common places that virii are made are in some idiots own home. That person
feels like getting kicks out of wiping some guys HD out. Oh well, all of us
get our jollies from something.
Virii come in a variety of packages. If you BBS as you most likely do
since you are reading this, the BBS world is a breeding area for virii. They
can be hidden in many different ways. For instance if a piece of software
comes out, this is the chance the programmer of the virus is waiting for. He
will take that piece of software and replace the executible file with his
virus. Of course, you thinking "Wow! I've been waiting for this piece of
software forever you, run it as soon as you get it!" Next thing you know
your HD is going berserk. There are many other tricky ways people hide virii,
you never know where they'll be found.
You say to yourself "Is there no escape?" Well thank god I can tell
you there is. Some of the most skilled programmers have come up with programs
to protect you from virii. Some for instance are Mc'Afees Scan, Cleanup and
V-Shield. Also Norton's Anti-Virus and Central Point's Anti-Virus. There
are many more but these as updated most often and easy to come by.to check all
Mc'Afees scan will tell you which virii were detected, in what files and
give you a prefix for using with Cleanup. If virii were detected you use
cleanup to clean them out sometimes some files will be lost. V-Shield
is just like scan except it's memory resident (TSR) and when loaded it does
a scan of memory, Command.Com and itself. Then as you run programs if you
happen to run into a virus it will stop you from doing so and tell you
what virus you almost ran into. Norton's & Central Point's stuff is similar
but all compacted into one program. The only problem is they seem slower,
use more memory and are hard to come by the updates. They are also commercial
while Mc'Afees stuff is PD. Even with all this protection you can still get
hit, try and backup as much as possible. Also wait for other people to try
the piece of software and see if it effected their system. You can also
try viewing the executable file to see if there is any weird message on it
such as in the Violator virus it has a message from RABiD near the end of it.
Small executable files are also a hiding place for virii. If you see a small
executable file beware, most executable files are quite large.
Now let's move on to the other problem, trojans and ANSi bombs.
These are virtually undetectable in most cases. They are a lot simpler
and smaller than virii usually. One bang and that's all folks. In other
words they do one thing and that's it, no memory sticking. There are
a few different types I have come by:
1) Slam Bam See Ya Later, Hard Drive
2) Now You See It, Now You Don't
3) Faster than a speeding bullet, then slow as a snail's pace.
Now let's explain these funny, but destructive phrases.
1) Slam Bam See Ya Later, Hard Drive: This trojan horse when run will wipe
your hard drive and then die. It can do it in many different ways such as
destroying your boot sector, overwriting your fat, a simple erasing
routine or screwing your COMMAND.COM majorly. These are hidden in just
about anything from DSZ.COM to Norton's Disk Optimizer. Some examples are:
Giant Killer (By RABiD), EraseBoot, Frogger (Disk Optimizer [Actually
Formatter]).
2) Now You See It, Now You Don't: This is an ANSi Bomb/Trojan. It's very
easy to make and just about anyone could make one. They use ANSI.SYS's
keyboard reassignment routines and wipe your HD clean. They usually are
hidden in text or ansi screens. They can easily be prevented by using
ZANSI.SYS or another variation of ANSI.SYS. Also there are small TSR's
that will protect you from such problems. Some examples are: Well
sorry none for you this time since there are so many variations and no
names for them.
3) Faster than a speeding bullet, then slow as a snail's pace:
This type of trojan will slow your computer down majorly. You can usually
set a time for the trojan to go off. After it does then it will slow
your computer down bits at a time until it takes like 30 minutes to load
Pac-Man. An example is: SlowDown 1.04.
There are many other types of trojans and I could be here all day
telling you about them. These are the most common ones in order from most
common to least common. New ones are made just about everyday which do
different things. There are not very many ways you can protect yourself
from such trouble yet. FluShot is one of the best ways but it limits your
computer in many ways. You can use it to write-protect your HD so no writes
will be made or make it so it asks you before a write is being made so you
know when an illegal write is being made. There are also programs like
TrapDisk which stop formats sometimes caused by trojans and it will prompt
you before a format is done. There are also a variety of others. The best
way to protect yourself from everything is to keep updated backups. Also
waiting for other people to try the piece of software before you do and
finding out how they handled it would be a good way of protection.
Trojans and ANSi Bombs come in a variety of different packages. They
are usually hidden better than virii. Some trojans come in the style of a
disk optimizer that really wipes your HD or a DSZ update that will wipe you
out as well. They can be found just about anywhere. ANSi Bombs are usually
hidden in what seems to be a board add such as README.ROS or something of that
nature. No piece of software can be trusted. Trojans and ANSi Bombs also
are hidden in the same method as virii as well. So you can refer back to
How Virii Are Hidden and Protecting Yourself from Virii paragraphs.
This pretty well covers quite a bit about virii and trojans
always be careful because everything isn't always as it seems to be.
Never stay off guard because the day you do is the day you get hit.
Even if you haven't ever come across a virus or trojan before, there's
a first time for everything.
Scarlet Spirit
Sysop of The Shining Realm
UPi Vice-President
Greetings Go Out To:
Phantom Prowler, Black Bird, Tyler, Silent Death, Glass Head, Dr. Dread,
The Hellraiser, The Juggernaut, Galaxy Raider, D.J. Bravestar, Iron Christ,
Knight Excalibur, Dr. Sysop, Infiltrator, Demon Slayer, Dark Staph,
Dragon Highlord, Ninja Boy, Platinum, Neural Plexus, Vision Assembler,
Forensic Forsythia, Destroyer, Snowhawk, Dark Rider, The Jammer, Law N.Order,
and The Wild Genius.
Sorry if I missed your name but I could only include so many. Here are
some personal greetings for all those people who make great impacts on
me:
Nyarlathotep: Cool it on the quoting. Your words are just as good as others.
The Enchanter: How are the women? Sell me your HST!
Arc Angel: Ahh That's Too Bad...
And in a place all his own the person who was responsible for the destruction
and take down of Spectrum. Yes, you know him all as that egomaniac from hell,
he's the one the only: Space Ace! He thought he could run the group but he
didn't have what it took and ended up GIVING UP and FAILING at what he started
at. Oh well. No one's perfect.
Listing Of Current UPi Members.....
President: The Lost Avenger (416)
Vice President: Scarlet Spirit (416)
Programmers: Damaged Sectorz (602), Mad Hatter (514)
Couriers: The Serious One (819)
Other Members: Dantesque (416), Inphiniti (216), MCi Sprinter (216), Rocket
Richard (313)
Call These Other UPi Nodes.....
-------------------------------------------------------------------------------
Node BBS Name Area Baud Megs BBS Sysop
Number Code Rate Program
-------------------------------------------------------------------------------
WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger
Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit
Node #2 Inphiniti's Edge 216 2400 60 Aftershock Inphiniti
-------------------------------------------------------------------------------
If you'll like to join UPi as a member or as a node then please leave me
mail on any of the numbers listed above. Then I will send you an the
appropriate application for you to fill out. From there you must either send
me the complete filled application form to me either by sending it in E-mail to
me or either by uploading it to any one of the UPi sites.